2 * OpenConnect (SSL + DTLS) VPN client
4 * Copyright © 2008-2012 Intel Corporation.
6 * Author: David Woodhouse <dwmw2@infradead.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1, as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to:
20 * Free Software Foundation, Inc.
21 * 51 Franklin Street, Fifth Floor,
22 * Boston, MA 02110-1301 USA
25 #include <sys/types.h>
27 #include <sys/socket.h>
28 #include <sys/ioctl.h>
35 #include <netinet/in_systm.h>
36 #include <netinet/in.h>
37 #include <netinet/ip.h>
39 #include <arpa/inet.h>
46 #include <sys/sockio.h>
47 #include <net/if_tun.h>
49 #error "Install TAP driver from http://www.whiteboard.ne.jp/~admin2/tuntap/"
53 #include "openconnect-internal.h"
56 * If an if_tun.h include file was found anywhere (by the Makefile), it's
57 * included. Else, we end up assuming that we have BSD-style devices such
65 * The OS X tun/tap driver doesn't provide a header file; you're expected
66 * to define this for yourself.
69 #define TUNSIFHEAD _IOW('t', 96, int)
73 * OpenBSD always puts the protocol family prefix onto packets. Other
74 * systems let us enable that with the TUNSIFHEAD ioctl, and some of them
75 * (e.g. FreeBSD) _need_ it otherwise they'll interpret IPv6 packets as IPv4.
77 #if defined(__OpenBSD__) || defined(TUNSIFHEAD)
78 #define TUN_HAS_AF_PREFIX 1
81 static int set_tun_mtu(struct openconnect_info *vpninfo)
83 #ifndef __sun__ /* We don't know how to do this on Solaris */
87 net_fd = socket(PF_INET, SOCK_DGRAM, 0);
89 perror(_("open net"));
93 memset(&ifr, 0, sizeof(ifr));
94 strncpy(ifr.ifr_name, vpninfo->ifname, sizeof(ifr.ifr_name) - 1);
95 ifr.ifr_mtu = vpninfo->actual_mtu;
97 if (ioctl(net_fd, SIOCSIFMTU, &ifr) < 0)
98 perror(_("SIOCSIFMTU"));
106 static int setenv_int(const char *opt, int value)
109 sprintf(buf, "%d", value);
110 return setenv(opt, buf, 1);
113 static int netmasklen(struct in_addr addr)
117 for (masklen = 0; masklen < 32; masklen++) {
118 if (ntohl(addr.s_addr) >= (0xffffffff << masklen))
124 static int process_split_xxclude(struct openconnect_info *vpninfo,
125 int include, const char *route, int *v4_incs,
129 const char *in_ex = include?"IN":"EX";
133 slash = strchr(route, '/');
137 vpn_progress(vpninfo, PRG_ERR,
138 _("Discard bad split include: \"%s\"\n"),
141 vpn_progress(vpninfo, PRG_ERR,
142 _("Discard bad split exclude: \"%s\"\n"),
149 if (strchr(route, ':')) {
150 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_ADDR", in_ex,
152 setenv(envname, route, 1);
154 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_MASKLEN", in_ex,
156 setenv(envname, slash+1, 1);
162 if (!inet_aton(route, &addr)) {
168 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_ADDR", in_ex, *v4_incs);
169 setenv(envname, route, 1);
171 /* Put it back how we found it */
174 if (!inet_aton(slash+1, &addr))
177 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASK", in_ex, *v4_incs);
178 setenv(envname, slash+1, 1);
180 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASKLEN", in_ex, *v4_incs);
181 setenv_int(envname, netmasklen(addr));
187 static int appendenv(const char *opt, const char *new)
190 char *old = getenv(opt);
194 snprintf(buf, 1023, "%s %s", old, new);
196 snprintf(buf, 1023, "%s", new);
198 return setenv(opt, buf, 1);
201 static void setenv_cstp_opts(struct openconnect_info *vpninfo)
206 struct vpn_option *opt;
208 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
209 buflen += 2 + strlen(opt->option) + strlen(opt->value);
211 env_buf = malloc(buflen + 1);
217 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
218 bufofs += snprintf(env_buf + bufofs, buflen - bufofs,
219 "%s=%s\n", opt->option, opt->value);
221 setenv("CISCO_CSTP_OPTIONS", env_buf, 1);
225 static void set_banner(struct openconnect_info *vpninfo)
230 if (!vpninfo->banner || !(banner = malloc(strlen(vpninfo->banner)+1))) {
231 unsetenv("CISCO_BANNER");
238 if (*p == '%' && isxdigit((int)(unsigned char)p[1]) &&
239 isxdigit((int)(unsigned char)p[2])) {
240 *(q++) = unhex(p + 1);
246 setenv("CISCO_BANNER", banner, 1);
251 static void set_script_env(struct openconnect_info *vpninfo)
254 int ret = getnameinfo(vpninfo->peer_addr, vpninfo->peer_addrlen, host,
255 sizeof(host), NULL, 0, NI_NUMERICHOST);
257 setenv("VPNGATEWAY", host, 1);
260 unsetenv("CISCO_SPLIT_INC");
261 unsetenv("CISCO_SPLIT_EXC");
263 setenv_int("INTERNAL_IP4_MTU", vpninfo->actual_mtu);
265 if (vpninfo->vpn_addr) {
266 setenv("INTERNAL_IP4_ADDRESS", vpninfo->vpn_addr, 1);
267 if (vpninfo->vpn_netmask) {
271 if (inet_aton(vpninfo->vpn_addr, &addr) &&
272 inet_aton(vpninfo->vpn_netmask, &mask)) {
275 addr.s_addr &= mask.s_addr;
276 netaddr = inet_ntoa(addr);
278 setenv("INTERNAL_IP4_NETADDR", netaddr, 1);
279 setenv("INTERNAL_IP4_NETMASK", vpninfo->vpn_netmask, 1);
280 setenv_int("INTERNAL_IP4_NETMASKLEN", netmasklen(mask));
284 if (vpninfo->vpn_addr6) {
285 setenv("INTERNAL_IP6_ADDRESS", vpninfo->vpn_addr6, 1);
286 setenv("INTERNAL_IP6_NETMASK", vpninfo->vpn_netmask6, 1);
289 if (vpninfo->vpn_dns[0])
290 setenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[0], 1);
292 unsetenv("INTERNAL_IP4_DNS");
293 if (vpninfo->vpn_dns[1])
294 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[1]);
295 if (vpninfo->vpn_dns[2])
296 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[2]);
298 if (vpninfo->vpn_nbns[0])
299 setenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[0], 1);
301 unsetenv("INTERNAL_IP4_NBNS");
302 if (vpninfo->vpn_nbns[1])
303 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[1]);
304 if (vpninfo->vpn_nbns[2])
305 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[2]);
307 if (vpninfo->vpn_domain)
308 setenv("CISCO_DEF_DOMAIN", vpninfo->vpn_domain, 1);
309 else unsetenv ("CISCO_DEF_DOMAIN");
311 if (vpninfo->vpn_proxy_pac)
312 setenv("CISCO_PROXY_PAC", vpninfo->vpn_proxy_pac, 1);
314 if (vpninfo->split_dns) {
317 struct split_include *dns = vpninfo->split_dns;
320 len += strlen(dns->route) + 1;
327 dns = vpninfo->split_dns;
329 strcpy(p, dns->route);
336 setenv("CISCO_SPLIT_DNS", list, 1);
340 if (vpninfo->split_includes) {
341 struct split_include *this = vpninfo->split_includes;
342 int nr_split_includes = 0;
343 int nr_v6_split_includes = 0;
346 process_split_xxclude(vpninfo, 1, this->route,
348 &nr_v6_split_includes);
351 if (nr_split_includes)
352 setenv_int("CISCO_SPLIT_INC", nr_split_includes);
353 if (nr_v6_split_includes)
354 setenv_int("CISCO_IPV6_SPLIT_INC", nr_v6_split_includes);
356 if (vpninfo->split_excludes) {
357 struct split_include *this = vpninfo->split_excludes;
358 int nr_split_excludes = 0;
359 int nr_v6_split_excludes = 0;
362 process_split_xxclude(vpninfo, 0, this->route,
364 &nr_v6_split_excludes);
367 if (nr_split_excludes)
368 setenv_int("CISCO_SPLIT_EXC", nr_split_excludes);
369 if (nr_v6_split_excludes)
370 setenv_int("CISCO_IPV6_SPLIT_EXC", nr_v6_split_excludes);
372 setenv_cstp_opts(vpninfo);
375 int script_config_tun(struct openconnect_info *vpninfo, const char *reason)
379 if (!vpninfo->vpnc_script || vpninfo->script_tun)
382 setenv("reason", reason, 1);
383 ret = system(vpninfo->vpnc_script);
386 vpn_progress(vpninfo, PRG_ERR,
387 _("Failed to spawn script '%s' for %s: %s\n"),
388 vpninfo->vpnc_script, reason, strerror(e));
391 if (!WIFEXITED(ret)) {
392 vpn_progress(vpninfo, PRG_ERR,
393 _("Script '%s' exited abnormally (%x)\n"),
394 vpninfo->vpnc_script, ret);
397 ret = WEXITSTATUS(ret);
399 vpn_progress(vpninfo, PRG_ERR,
400 _("Script '%s' returned error %d\n"),
401 vpninfo->vpnc_script, ret);
408 static int link_proto(int unit_nr, const char *devname, uint64_t flags)
410 int ip_fd, mux_id, tun2_fd;
413 tun2_fd = open("/dev/tun", O_RDWR);
415 perror(_("Could not open /dev/tun for plumbing"));
418 if (ioctl(tun2_fd, I_PUSH, "ip") < 0) {
419 perror(_("Can't push IP"));
424 sprintf(ifr.lifr_name, "tun%d", unit_nr);
425 ifr.lifr_ppa = unit_nr;
426 ifr.lifr_flags = flags;
428 if (ioctl(tun2_fd, SIOCSLIFNAME, &ifr) < 0) {
429 perror(_("Can't set ifname"));
434 ip_fd = open(devname, O_RDWR);
436 fprintf(stderr, _("Can't open %s: %s"), devname,
442 mux_id = ioctl(ip_fd, I_LINK, tun2_fd);
444 fprintf(stderr, _("Can't plumb %s for IPv%d: %s\n"),
445 ifr.lifr_name, (flags == IFF_IPV4) ? 4 : 6,
459 static int bsd_open_tun(char *tun_name)
465 fd = open(tun_name, O_RDWR);
469 s = socket(AF_INET, SOCK_DGRAM, 0);
473 memset(&ifr, 0, sizeof(ifr));
474 strncpy(ifr.ifr_name, tun_name + 5, sizeof(ifr.ifr_name) - 1);
475 if (!ioctl(s, SIOCIFCREATE, &ifr))
476 fd = open(tun_name, O_RDWR);
483 #define bsd_open_tun(tun_name) open(tun_name, O_RDWR)
486 static int os_setup_tun(struct openconnect_info *vpninfo)
490 #ifdef IFF_TUN /* Linux */
494 tun_fd = open("/dev/net/tun", O_RDWR);
496 /* Android has /dev/tun instead of /dev/net/tun
497 Since other systems might have too, just try it
498 as a fallback instead of using ifdef __ANDROID__ */
500 tun_fd = open("/dev/tun", O_RDWR);
503 /* If the error on /dev/tun is ENOENT, that's boring.
504 Use the error we got on /dev/net/tun instead */
508 vpn_progress(vpninfo, PRG_ERR,
509 _("Failed to open tun device: %s\n"),
513 memset(&ifr, 0, sizeof(ifr));
514 ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
516 strncpy(ifr.ifr_name, vpninfo->ifname,
517 sizeof(ifr.ifr_name) - 1);
518 if (ioctl(tun_fd, TUNSETIFF, (void *) &ifr) < 0) {
519 vpn_progress(vpninfo, PRG_ERR,
520 _("TUNSETIFF failed: %s\n"),
524 if (!vpninfo->ifname)
525 vpninfo->ifname = strdup(ifr.ifr_name);
526 #elif defined (__sun__)
527 static char tun_name[80];
530 tun_fd = open("/dev/tun", O_RDWR);
532 perror(_("open /dev/tun"));
536 unit_nr = ioctl(tun_fd, TUNNEWPPA, -1);
538 perror(_("Failed to create new tun"));
543 if (ioctl(tun_fd, I_SRDOPT, RMSGD) < 0) {
544 perror(_("Failed to put tun file descriptor into message-discard mode"));
549 sprintf(tun_name, "tun%d", unit_nr);
550 vpninfo->ifname = strdup(tun_name);
552 vpninfo->ip_fd = link_proto(unit_nr, "/dev/udp", IFF_IPV4);
553 if (vpninfo->ip_fd < 0) {
558 if (vpninfo->vpn_addr6) {
559 vpninfo->ip6_fd = link_proto(unit_nr, "/dev/udp6", IFF_IPV6);
560 if (vpninfo->ip6_fd < 0) {
562 close(vpninfo->ip_fd);
567 vpninfo->ip6_fd = -1;
569 #else /* BSD et al have /dev/tun$x devices */
570 static char tun_name[80];
573 if (vpninfo->ifname) {
575 if (strncmp(vpninfo->ifname, "tun", 3) ||
576 ((void)strtol(vpninfo->ifname + 3, &endp, 10), !endp) ||
578 vpn_progress(vpninfo, PRG_ERR,
579 _("Invalid interface name '%s'; must match 'tun%%d'\n"),
583 snprintf(tun_name, sizeof(tun_name),
584 "/dev/%s", vpninfo->ifname);
585 tun_fd = bsd_open_tun(tun_name);
588 vpn_progress(vpninfo, PRG_ERR,
589 _("Cannot open '%s': %s\n"),
590 tun_name, strerror(err));
594 #ifdef HAVE_FDEVNAME_R
595 /* We don't have to iterate over the possible devices; on FreeBSD
596 at least, opening /dev/tun will give us the next available
599 tun_fd = open("/dev/tun", O_RDWR);
601 if (!fdevname_r(tun_fd, tun_name, sizeof(tun_name)) ||
602 strncmp(tun_name, "tun", 3)) {
606 vpninfo->ifname = strdup(tun_name);
611 for (i = 0; i < 255; i++) {
612 sprintf(tun_name, "/dev/tun%d", i);
613 tun_fd = bsd_open_tun(tun_name);
618 perror(_("open tun"));
621 vpninfo->ifname = strdup(tun_name + 5);
625 if (ioctl(tun_fd, TUNSIFHEAD, &i) < 0) {
626 perror(_("TUNSIFHEAD"));
634 /* Set up a tuntap device. */
635 int setup_tun(struct openconnect_info *vpninfo)
639 set_script_env(vpninfo);
641 if (vpninfo->script_tun) {
645 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, fds)) {
646 perror(_("socketpair"));
655 if (setpgid(0, getpid()) < 0)
656 perror(_("setpgid"));
658 setenv_int("VPNFD", fds[1]);
659 execl("/bin/sh", "/bin/sh", "-c", vpninfo->vpnc_script, NULL);
664 vpninfo->script_tun = child;
665 vpninfo->ifname = strdup(_("(script)"));
667 script_config_tun(vpninfo, "pre-init");
669 tun_fd = os_setup_tun(vpninfo);
673 setenv("TUNDEV", vpninfo->ifname, 1);
674 script_config_tun(vpninfo, "connect");
676 /* Ancient vpnc-scripts might not get this right */
677 set_tun_mtu(vpninfo);
680 fcntl(tun_fd, F_SETFD, FD_CLOEXEC);
682 vpninfo->tun_fd = tun_fd;
684 if (vpninfo->select_nfds <= tun_fd)
685 vpninfo->select_nfds = tun_fd + 1;
687 FD_SET(tun_fd, &vpninfo->select_rfds);
689 fcntl(vpninfo->tun_fd, F_SETFL, fcntl(vpninfo->tun_fd, F_GETFL) | O_NONBLOCK);
694 static struct pkt *out_pkt;
696 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout)
701 #ifdef TUN_HAS_AF_PREFIX
702 if (!vpninfo->script_tun)
703 prefix_size = sizeof(int);
706 if (FD_ISSET(vpninfo->tun_fd, &vpninfo->select_rfds)) {
708 int len = vpninfo->actual_mtu;
711 out_pkt = malloc(sizeof(struct pkt) + len);
713 vpn_progress(vpninfo, PRG_ERR, "Allocation failed\n");
718 len = read(vpninfo->tun_fd, out_pkt->data - prefix_size, len + prefix_size);
719 if (len <= prefix_size)
721 out_pkt->len = len - prefix_size;
723 queue_packet(&vpninfo->outgoing_queue, out_pkt);
727 vpninfo->outgoing_qlen++;
728 if (vpninfo->outgoing_qlen == vpninfo->max_qlen) {
729 FD_CLR(vpninfo->tun_fd, &vpninfo->select_rfds);
733 } else if (vpninfo->outgoing_qlen < vpninfo->max_qlen) {
734 FD_SET(vpninfo->tun_fd, &vpninfo->select_rfds);
737 /* The kernel returns -ENOMEM when the queue is full, so theoretically
738 we could handle that and retry... but it doesn't let us poll() for
739 the no-longer-full situation, so let's not bother. */
740 while (vpninfo->incoming_queue) {
741 struct pkt *this = vpninfo->incoming_queue;
742 unsigned char *data = this->data;
745 #ifdef TUN_HAS_AF_PREFIX
746 if (!vpninfo->script_tun) {
747 struct ip *iph = (void *)data;
752 else if (iph->ip_v == 4)
755 static int complained = 0;
758 vpn_progress(vpninfo, PRG_ERR,
759 _("Unknown packet (len %d) received: %02x %02x %02x %02x...\n"),
760 len, data[0], data[1], data[2], data[3]);
767 *(int *)data = htonl(type);
770 vpninfo->incoming_queue = this->next;
772 if (write(vpninfo->tun_fd, data, len) < 0) {
773 /* Handle death of "script" socket */
774 if (vpninfo->script_tun && errno == ENOTCONN) {
775 vpninfo->quit_reason = "Client connection terminated";
778 vpn_progress(vpninfo, PRG_ERR,
779 _("Failed to write incoming packet: %s\n"),
784 /* Work is not done if we just got rid of packets off the queue */
788 void shutdown_tun(struct openconnect_info *vpninfo)
790 if (vpninfo->script_tun) {
791 /* nuke the whole process group */
792 kill(-vpninfo->script_tun, SIGHUP);
794 script_config_tun(vpninfo, "disconnect");
796 close(vpninfo->ip_fd);
798 if (vpninfo->ip6_fd != -1) {
799 close(vpninfo->ip6_fd);
800 vpninfo->ip6_fd = -1;
805 close(vpninfo->tun_fd);
806 vpninfo->tun_fd = -1;